Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

lookup table to show values that do not match

stephen123
Path Finder
‎11-16-2012 04:37 AM

hi - I have a look-up table of errors codes and descriptions, and a log file with errors codes

lookup error_descriptions_table look_up_errors as errors OUTPUT description | top description

This works fine if all the error codes are in the look-up table but if a new error appears in the log it will not display it (or combine them into a null field) - so what i want it to do is display the error description if possible otherwise display the code - in the same column

so if the look-up table is

200, perfect

404, page not found

500, internal server error

etc

log file is

200

200

404

700

404

800

200

etc

At the moment I get

perfect 3

null 2

not found 2

what i want is

perfect 3

not found 2

700 1

800 1

Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Drainy
Champion
‎11-16-2012 05:24 AM

Appending an eval after your search should do the job, something like;

| eval description=if(isnull(description),look_up_errors,description)

This basically says, set the field description equal to the look_up_errors value if the field is null (no value is returned from the lookup). Otherwise, if it isn't null then we can assume it has successfully looked up a description and instead keep using it.

View solution in original post

Reply
Solved! Jump to solution

anwarmian
Communicator
‎06-27-2013 10:45 AM

That was a good answer Drainy. It worked for me too.

0 Karma
Reply
Solved! Jump to solution
Solution

Drainy
Champion
‎11-16-2012 05:24 AM

Appending an eval after your search should do the job, something like;

| eval description=if(isnull(description),look_up_errors,description)

This basically says, set the field description equal to the look_up_errors value if the field is null (no value is returned from the lookup). Otherwise, if it isn't null then we can assume it has successfully looked up a description and instead keep using it.

Reply
Solved! Jump to solution

stephen123
Path Finder
‎11-19-2012 03:52 AM

Thanks - that solved the problem 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...